How much do data breaches really cost organizations? Are companies truly prepared to absorb the full extent of the costs associated with a data breach? New research from ExtraHop argues companies are not. The true costs are multiples of magnitude higher than the generally accepted estimates. "You can pay me now or pay him later" was an axiom used in 1970's television commercials. It suggests that if you pay a small amount for prevention now, you won't need to pay a great deal more in the future. However, this is only applicable when you have accurate and quantifiable data regarding real total costs.
It is difficult to estimate the actual short and long-term financial costs of a cyber data breach. Extrahop's 2024 True Cost of a Security Breach report offers an alternative on how to calculate the financial consequences of a data breach. Their research considers multiple factors including hidden or underestimated impacts that increase overall costs. Only by having a full understanding of the financial impact of a security breach can organizations properly assess their risks and prepare appropriately.
Data Breaches Cost How Much!
The conventional wisdom is the average direct cost of a typical data breach is a few million dollars. That is a lot of money, but that amount dwarfs the figures publicly available. The cost of a cyber data breach ranges between $24 million to a staggering $2.5 billion.
This divergence is what ExtraHop's research addresses. By looking at specific incidents and by calculating not just the short-term direct costs but also long-term costs, they report that the average total overall data breach costs are closer to $677 million. A 27% increase from the $521 million reported in their 2023 report. They look at the overall costs differently by evaluating multiple factors that impact overall costs, including the hiring of third-party firms, incident remediation, security protection upgrades, lost revenue, regulatory fines, legal fees, reputational damage, business disruptions, company valuation, and more. Using this methodology, companies gain a better understanding of total costs, including those realized years after the initial disclosure. For example, in addition to the direct costs associated with a 2020 ransomware attack, a company paid in 2023 civil penalties of $3 million to the SEC and $49.4 million to various states. The following year they settled with California for $6.75 million.
Many Pay a Price
Security data breaches wreak havoc on company operations. Companies can lose customers, have their reputation tarnished, and see an overall increase in operational costs and a decline in revenue. Employees’ work is disrupted, and customers can become dissatisfied. Those who have their personal data compromised worry about this situation. Stockholders also pay a price. In the ExtraHop report of the seven companies studied, the stock prices declined by an average of 7% in the month immediately following the reporting of a breach. Although, over time, some companies can recover from a market value decline, one company highlighted in the report has lost more than 70% of its value over the year since its event. Evan Dornbush, former NSA cybersecurity expert, reiterates that “ExtraHop's research shows that it is increasingly more expensive to be a victim. Until the security community can find ways to make cybercrime too costly to pursue, it will be victims paying that price.”
The impact of a breach can potentially result in a company going out of business. Small and medium-sized businesses are especially vulnerable, with over 50% of small companies closing within months of a data breach. Larger companies are not immune. A study by Kovrr reports that a handful of S&P 500 companies could face insolvency as a result of a cybersecurity incident.
They are All Insiders
Cybersecurity data breaches and incidents are extremely costly when looked at holistically, but how are attackers avoiding security countermeasures? Primarily, they enter the IT environment using valid but compromised credentials. Threat actors ultimately infiltrate a network as an authorized user. They become an insider, allowing them to accomplish their goal, whatever that encompasses. According to the Verizon Data Breach Investigations Report, stolen credentials are the most common source of data breaches. This fact has remained consistent over the past decade, with 31% of the data breaches being the result of stolen credentials. Once inside a network, the invaders can move laterally and install malware.
Imperative to Strengthen Cyber Resilience
Threat actors use various methods to avoid endpoint and edge-based detection. In order to discover and respond to incidents, organizations need to turn to the one place that can't be turned off, sees everything, and leaves attackers nowhere to hide -- the network.
“It’s important for business leaders to recognize that no organization is immune to cyberattacks or the potential financial fall-out that comes with them – nor can they be too prepared," said ExtraHop's Co-founder and Chief Scientist, Raja Mukerji. By monitoring all network behavior, security teams will have full visibility of attacker activities, even when under the cover of a valid credential. Every action occurring on a network leaves a metadata trail. Observing network-based behaviors can uncover dubious operations that could represent malicious behaviors used by infiltrators, such as software downloads, network scans, lateral movement, privilege escalation, and command and control beaconing. A cybersecurity strategy that includes network-based detection and response alongside endpoint, SIEM, and other security tools improves an organization's chances of avoiding expensive and crippling data breaches.
Preparing for the Inevitable
Determining the true cost of security breaches is difficult, but ExtraHop's research highlights that conventional wisdom minimizes how much damage data breaches and ransomware actually cause. Cybersecurity incidents are more costly by multiples. This knowledge should encourage organizations to invest in various proactive prevention capabilities. The report’s case studies highlight that no organization is immune, but preparation, including leveraging the visibility available through a network-based detection and response system, makes it possible to reduce the risk of a catastrophic cyber incident. Given the huge stakes involved, companies should view cybersecurity resilience as a key cog in maintaining financial and business health. Security tools can be expensive but it is money well spent when compared to the true cost of a massive data breach.
